Method and system for communicating over a segmented virtual private network (VPN)

ABSTRACT

An approach for providing secure communication services is disclosed. A secure data tunnel from a source node to a destination node is established via a plurality of secure segments across a data communications network. A data path is established via the secure data tunnel, where the data path supports a performance enhancing mechanism that improves performance of data communications over the data path. The performance enhancing mechanism multiplexes data packet flows from the source node for transmission over the data path, and performs one or more of connection startup latency reduction, acknowledgment message spoofing, window sizing adjustment, compression and selective retransmission.

RELATED APPLICATIONS

This application is a continuation, and claims the benefit of priorityunder 35 U.S.C. §120, from U.S. application Ser. No. 10/352,992 (filed2003, Jan. 28), which claims the benefit of priority under 35 U.S.C.§119(e) from U.S. Provisional Application No. 60/352,462 (filed 2002,Jan. 28) and U.S. Provisional Application No. 60/392,943 (filed 2002,Jul. 01), the entireties of which are incorporated herein by reference.

FIELD

The present invention relates to secure communications over acommunications system, and more particularly to enhancing networkperformance in a Virtual Private Network (VPN) environment.

BACKGROUND

Communications service providers face the continual task of designinghigh performance and secure networks. The emergence of Virtual PrivateNetworks (VPNs) has provided network users with secure communications totheir private network from remote sites. A private network is a networkthat allows multiple locations of a network to privately communicate;that is, to the exclusion of unauthorized users. In the past, privatenetworks were implemented by using “leased line” communicationscircuits, as shown in FIG. 18. Private sites 1801, 1803, 1805, 1807 areinterconnected by leased lines 1809, which are typically dedicatedcircuits supplied by a service provider. Within each of the sites 1801,1803, 1805, 1807, multiple hosts are connected to the leased lines 1809via a router. Security of the leased lines 1809 is ensured mainly bywire-tapping laws and the integrity of the service provider thatsupplies the leased lines.

By contrast, a virtual private network (VPN) permits an enterprise tocommunicate securely across a public network in such a way that thepublic network operates as one or more private communications links.FIG. 19 is a diagram of a conventional VPN, in which multiple privatenetwork sites 1901, 1903, 1905, 1907 are connected to a public network1917, such as the Internet or a carrier's Internet Protocol (IP)internetwork. The packets originating from one private network site toanother are encrypted and often cryptographically authenticated toprovide security. In particular, the packets that are forwarded from oneindividual site to another are encrypted and carried in the payload ofone or more packets traversing the public network. This placing ofpackets within another packet is referred to as tunneling. A VPN tunnelrefers to two sites that securely exchange packets with one another bycarrying encrypted versions of those packets within other packets usingan agreed upon set of encryption algorithms and keys. With respect torouting within the Virtual Private Network, a tunnel operates, inconcept, like the leased lines of the private network of FIG. 18.

Each private network site 1901, 1903, 1905, 1907 has a VPN server 1909,1911, 1913, 1915, which performs the tunneling of VPN packets along withthe associated cryptographic functions. A VPN client 1919 has thecapability to establish a secure connection with any one of the VPNservers 1909, 1911, 1913, 1915.

Virtual private networks are attractive because the cost of oneconnection per site to a public network (which may be needed in orderfor the site's users to access hosts on the public network) is moreeconomical than a leased line type connection into a private network. Inaddition, given today's security concerns, users are finding VPNs to bea reliable security solution, in large part, because VPN protocols (suchas IPSEC) provide significantly higher security using advancedencryption technology than what is supplied by conventional privatenetworks. VPN tunnels do not allow the service providers to view thepackets within the VPN tunnel; in contrast, “leased line” serviceproviders can examine the data carried over the leased line.

For interoperability reasons, private networks are often implementedusing the TCP/IP (Transmission Control Protocol/Internet Protocol)protocol suite. However, this popular protocol suite possesses a numberof drawbacks. The performance short-comings relate to the TCP protocolitself, which was designed during the infancy of data communications inwhich the data network were unreliable. These drawbacks include TCP SlowStart, TCP Connection Establishment, limited Maximum Window Size,Go-Back-N ARQ (Automatic Repeat Request), and Discarded PacketCongestion Control. TCP Slow Start is a congestion avoidance algorithmthat limits TCP throughput on connections that have recently beenestablished. TCP Connection Establishment has the drawback of requiringa full-round trip prior to allowing user data to flow. The defaultmaximum window size (which is typically 64 KB) limits peak throughput ofa TCP connection. The lost packet recovery algorithm uses a Go-Back-Nscheme, which has significant negative performance impact when operatingon a high-bandwidth delay connection. In addition, most TCP/IP networkshandle congestion by discarding packets, which results in veryinefficient Go-Back-N retransmissions; and the TCP implementationsseverely restrict their window sizes on discovering packet loss, therebyseverely reduces throughput.

Furthermore, TCP operates relatively inefficiently, with respect tobandwidth utilization. These inefficiencies include Excessive ACK(Acknowledgement) Packets, and lack of compression. Most TCPimplementations provide a TCP ACK for either every received TCP segmentor for every other TCP received segment. The ACK traffic, thus, consumesa significant amount of bandwidth. Furthermore, because TCP does notprovide data compression, greater bandwidth is needed. The aboveperformance hindrances are particularly pronounced over high-bandwidthhigh-delay networks, such as geosynchronous communication satellitenetworks and over highly asymmetric networks.

Accordingly, there is a clear need for improved approaches for enhancingthe performance of private networks to support secure communications.There is also a need for an approach to selectively provide performanceenhancing functions in a secure environment. There is also a need tominimize development and implementation costs. There is also a furtherneed to interoperate with existing standards and protocols.

Some Example Embodiments

The present invention addresses the above stated needs by providing anapproach for integrating Virtual Private Network (VPN) and networkacceleration techniques (e.g., Performance Enhancing Proxying (PEP)functions) in which a VPN tunnel can be segmented to selectively providePEP functionality. A PEP peer can include any combination of thefollowing components: a routing module, a buffer management module, anevent management module, a parameter management module, a TransmissionControl Protocol (TCP) spoofing kernel, a backbone protocol kernel, aprioritization kernel, a path selection kernel, and a data compressionkernel. PEP peers can establish a PEP connection to support the PEPfunction for any portion of the VPN tunnel, particularly, the portionthat traverses a high latency network. This approach advantageouslysupports secure communications, while enabling a service provider toimplement the PEP function and VPN function independently throughout thenetwork, thereby reducing costs and improving flexibility.

According to one aspect of the present invention, a method of providingsecure communication services is disclosed. The method includessupporting a secure tunnel from a source node over a network to adestination node, wherein the nodes are external to the network. Themethod also includes establishing a connection that supports a mechanismfor enhancing performance of the network for a portion of the securetunnel that traverses the network. According to another aspect of thepresent invention, a network device for supporting security in acommunications network is disclosed. The device includes a security peerconfigured to support a secure tunnel from a source node over a networkto a destination node, wherein the nodes are external to the network.The device also includes a network performance peer configured toestablish a connection for enhancing performance of the network for aportion of the secure tunnel that traverses the network. According toanother aspect of the present invention, a network device for supportingsecurity in a communications network is disclosed. The device includesmeans for supporting a secure tunnel from a source node over a networkto a destination node, wherein the nodes are external to the network.The device also includes means for establishing a connection forenhancing performance of the network for a portion of the secure tunnelthat traverses the network. According to another aspect of the presentinvention, a method of providing a virtual private network (VPN) serviceover a high latency network is disclosed. The method includesestablishing a VPN tunnel over the network. Additionally, the methodincludes selectively establishing a connection over a segment of the VPNtunnel, wherein the connection supports performance enhancing proxyingfunctions to minimize impact of the latency of the network. According toyet another aspect of the present invention, a method of providingsecure communication services is disclosed. The method includesestablishing a plurality of secure segments along a common communicationpath traversing a network. The method also includes establishing aconnection that supports a mechanism for enhancing performance of thenetwork, wherein the connection exists between two of the securesegments.

Further, in accordance with example embodiments of the present inventiona method of providing secure communication services is disclosed. Themethod comprises establishing a secure data tunnel from a source node toa destination node via a plurality of secure segments across a datacommunications network. The method further comprises establishing a datapath via the secure data tunnel, wherein the data path supports aperformance enhancing mechanism that improves performance of datacommunications over the data path. The performance enhancing mechanismmultiplexes data packet flows from the source node for transmission overthe data path, and performs one or more of connection startup latencyreduction, acknowledgment message spoofing, window sizing adjustment,compression and selective retransmission. According to a further exampleembodiment, the establishment of the data path via the secure datatunnel comprises determining that the data packet flows are to becarried via a secure connection, determining that the plurality ofsecure segments across the data communications network are functioningproperly, and establishing the data path via the secure data tunnel andinitiating the performance enhancing mechanism. By way of example, thesecure data tunnel may consist of a virtual private network (VPN) tunnelformed by the plurality of secure segments across the datacommunications network. By way of further example, at least one of thedata packet flows may be generated in accordance with transmissioncontrol protocol (TCP)/Internet protocol (IP) data communicationsprotocols. By way of further example, the data path may comprise aplurality of data sub-paths, wherein each data sub-path corresponds to adifferent priority level configured to carry data packets of therespective priority level—wherein each data packet flow may be assignedto a one of the sub-paths based on one or more predetermined priorityassignment rules. The predetermined priority assignment rules, forexample, may be based on criteria corresponding to the data packetflows, wherein the criteria comprise one or more of destination IPaddress, source IP address, source port number, destination port number,user datagram protocol (UDP) source port number, UDP destination portnumber, type of service (TOS), and data type. By way of further example,the capacity of the data path is apportioned between the data sub-pathsbased on one or more predetermined priority capacity assignment rules.

Further, in accordance with example embodiments of the present inventionan apparatus comprises a security peer configured to establish a securedata tunnel from a source node to a destination node via a plurality ofsecure segments across a data communications network, and a networkperformance peer configured to establish a data path via the secure datatunnel, and to operate a performance enhancing mechanism. Theperformance enhancing mechanism is configured to multiplex data packetflows from the source node for transmission over the data path, and toimprove performance of data communications over the data path. By way ofexample, the performance enhancing mechanism is configured to improveperformance of data communications over the data path by performing oneor more of connection startup latency reduction, acknowledgment messagespoofing, window sizing adjustment, compression and selectiveretransmission. According to a further example embodiment, theestablishment of the data path via the secure data tunnel comprisesdetermining that the data packet flows are to be carried via a secureconnection, determining that the plurality of secure segments across thedata communications network are functioning properly, and establishingthe data path via the secure data tunnel and initiating the performanceenhancing mechanism. By way of example, the secure data tunnel mayconsist of a virtual private network (VPN) tunnel formed by theplurality of secure segments across the data communications network. Byway of further example, at least one of the data packet flows may begenerated in accordance with transmission control protocol(TCP)/Internet protocol (IP) data communications protocols. By way offurther example, the data path may comprise a plurality of datasub-paths, wherein each data sub-path corresponds to a differentpriority level configured to carry data packets of the respectivepriority level—wherein each data packet flow is assigned to a one of thesub-paths based on one or more predetermined priority assignment rules.The predetermined priority assignment rules, for example may be based oncriteria corresponding to the data packet flows, wherein the criteriacomprise one or more of destination IP address, source IP address,source port number, destination port number, user datagram protocol(UDP) source port number, UDP destination port number, type of service(TOS), and data type. By way of further example, the capacity of thedata path may be apportioned between the data sub-paths based on one ormore predetermined priority capacity assignment rules.

Still other aspects, features, and advantages of the present inventionare readily apparent from the following detailed description, simply byillustrating a number of particular embodiments and implementations,including the best mode contemplated for carrying out the presentinvention. The present invention is also capable of other and differentembodiments, and its several details can be modified in various obviousrespects, all without departing from the spirit and scope of the presentinvention. Accordingly, the drawing and description are to be regardedas illustrative in nature, and not as restrictive.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example, and not by wayof limitation, in the figures of the accompanying drawings and in whichlike reference numerals refer to similar elements and in which:

FIG. 1 is a diagram of Virtual Private Network (VPN) peers integratedwith respective Performance Enhancing Proxying (PEP) peers, according toan embodiment of the present invention;

FIG. 2 is a flowchart of a process for establishments of a PEPconnection and VPN connection, according to an embodiment of the presentinvention;

FIG. 3 is a diagram of an example communications system capable ofemploying integrated VPN and PEP technologies, according to anembodiment of the present invention;

FIG. 4 is a diagram of an example access network utilized in the systemof FIG. 3;

FIG. 5 is a diagram of example PEP functionality employed in the systemof FIG. 1, according to one embodiment of the present invention;

FIG. 6 is a diagram of example PEP and VPN functionality integration inthe system of FIG. 1, according to one embodiment of the presentinvention;

FIG. 7 is a diagram of a system capable of deploying PEP functions,according to one embodiment of the present invention;

FIG. 8 is a diagram of the system of FIG. 3 in which the access terminalhas integrated VPN and PEP functionalities and communicates with theValue-added VPN server, according to an embodiment of the presentinvention;

FIG. 9 is a diagram of the system of FIG. 3 in which the access terminalhas integrated VPN and PEP functionalities and communicates with the VPNserver and the PEP gateway, according to an embodiment of the presentinvention;

FIG. 10 is a diagram of a communication system in which a VPN clientresides in a host served by a terminal having an integrated PEP and VPNfunction for communication over an access network, according to variousembodiment of the present invention;

FIG. 11 is a diagram of a communication system in which VPN clientsreside in multiple hosts served by a terminal having an integrated PEPand VPN function for communication over an access network, according tovarious embodiment of the present invention;

FIG. 12 is a diagram of the system of FIG. 3 in which the accessterminal has integrated VPN and PEP functionalities and is capable ofdynamically selecting PEP backbone connections, according to anembodiment of the present invention;

FIG. 13 is a diagram of the system of FIG. 3 in which a host hasintegrated VPN and PEP functionalities, according to an embodiment ofthe present invention;

FIG. 14 is a diagram of the system of FIG. 3 in which a host hasintegrated VPN and PEP functionalities with separate PEP and VPN driverbindings, according to an embodiment of the present invention;

FIG. 15 is a diagram of a packet flow in the system of FIG. 14,according to an embodiment of the present invention;

FIG. 16 is a diagram of the system of FIG. 3 in which a host hasintegrated VPN and PEP functionalities and is capable of dynamicallyselecting PEP backbone connections, according to an embodiment of thepresent invention;

FIG. 17 is a diagram of a computer system that can perform the variousprocesses associated with providing integrated VPN and PEPfunctionalities, in accordance with an embodiment of the presentinvention;

FIG. 18 is a diagram of a conventional private network employingcommercial leased lines; and

FIG. 19 is a diagram of a conventional virtual private network (VPN).

DETAILED DESCRIPTION

A system, method, device, and software for providing integrated VPN andPEP components are described. In the following description, for thepurposes of explanation, numerous specific details are set forth inorder to provide a thorough understanding of the present invention. Itis apparent, however, to one skilled in the art that the presentinvention can be practiced without these specific details or with anequivalent arrangement. In other instances, well-known structures anddevices are shown in block diagram form in order to avoid unnecessarilyobscuring the present invention.

Although the various embodiments of the present invention are describedwith respect to an IP (Internet Protocol)-based network and a satellitenetwork, it is recognized that other equivalent networks can beemployed. In addition, it is contemplated that various networkacceleration techniques, other than PEP functions, can be applied.

I. Integrated VPN and Network Acceleration

FIG. 1 is a diagram of Virtual Private Network (VPN) peers integratedwith respective Performance Enhancing Proxying (PEP) peers, according toan embodiment of the present invention. Enterprises, such as a largebusiness or organization, rely on VPN technology for interconnectingmultiple sites and hosts to their networks. Additionally, theseenterprises may require use of specialized access networks, such asgeosynchronous satellite networks, which can conveniently interconnectsites without much concern over geographic location or availability ofterrestrial networking infrastructure. These enterprises further seek toobtain the benefits of the PEP mechanism, which are detailed below withrespect to FIGS. 5 and 6. As noted previously, this goal cannot bereadily realized with conventional configurations, in part, because theVPN technology encrypts the packets (including their headers), such thatthe PEP technology residing within the access network, for example,within its terminals and the access gateway, is no longer able tointerpret or edit those packets.

An enterprise network 100, according to one embodiment of the presentinvention, supports integration of PEP technology with VPN technology.In this example, private network site A of the enterprise network 100includes a PEP peer (or end-point) 101 interacting with a VPN peer 103to provide an integrated PEP and VPN function. The VPN peer 103 has acorresponding peer, VPN peer 105 within private network site B;similarly, a PEP peer 107 corresponds to the PEP peer 101 of the privatenetwork site A. As arranged, the PEP peers 101, 107 have access to thepackets prior to encryption by VPN peers 103, 105 (as shown in FIG. 1).Alternatively, the PEP peers 101, 107 can reside between the VPN peers103, 105. As shown, PEP peer 101 and VPN peer 103 are situated withinprivate network site A, while their respective peers are located atprivate network site B.

The VPN peers 103, 105 “tunnel” the PEP connections 109, 111 byestablishing an encrypted tunnel 113 (e.g., VPN tunnel) to encrypt theprivate network packets carried by the PEP connections 109,111 over theaccess network 115 and a public network 117 (e.g., the Internet). Thepackets are completely protected in that they only appear in the clearwithin the customer's premises (at the private network sites A and B),and thus are not viewable by any network element between the VPN peers103, 105, including the access network and public network providers.

As discussed, the PEP functionality (via the PEP peers 101, 107) can beimplemented at the private network site “outside” of the VPN tunnel 113,in accordance with an embodiment of the present invention. “Outside” inthis context means that packets leaving the site are processed by therespective PEP peers 101, 107 prior to being encrypted by the VPN peers103, 105 and that packets entering the site are processed by the PEPpeer 101, 107 after these packets have been decrypted by the VPN peers103, 105.

The PEP peer to VPN tunnel routing is performed, in an exampleembodiment, by a routing table, where this routing table identifies theVPN tunnel and its VPN peer's IP address and provides one or more IPaddress masks such that one of which matches the IP address of the PEPpeer. This routing table thus is able to route PEP backbone packetsthrough the appropriate tunnel to the PEP peer. Additionally, therouting information can be dynamically created as part of the VPN tunnelestablishment or can be completely configured by an operator and loadedinto the VPN peers 103, 105 or adjusted by an operator directly via anoperator interface or can be partially configured and the address masksdynamically learned by a routing protocol.

Fixed, “always on” connectivity can be supported by the enterprisenetwork 100, such that both the VPN connections and the PEPconnection(s) 109, 111 between the sites A and B are not torn down onceestablished; that is, these connections are created when the PEP peers101, 107 and the VPN peers 103, 105 are activated and are pinned-up solong as the PEP peers 101, 107 and the VPN peers 103, 105 are “ON” andare able to communicate with each other.

In the event of a network failure or the failure of one of thecomponents 101, 103, 105, 107, which implements an end point of the VPNconnection or PEP connection, the components 101, 103, 105, 107immediately and continuously attempt to bring back up the connectionsupon detection of the failure. Under this scenario, coordination betweenbringing up the VPN connection and the PEP connection is not strictlyrequired, as these activities can be independent. However, attempting tobring up the PEP connection prior to the establishment of the VPNconnection can waste processor resources and, potentially, networkbandwidth resources, in that sending PEP messages to re-establish thePEP connection is futile until the VPN connection is established.

The integration of the PEP and VPN functionality, as provided by anembodiment of the present invention, minimizes waste of these resources.According to one embodiment of the present invention, the VPN function,as supported by the VPN peers 103, 105, provides status information tothe PEP function (PEP peers 101, 107) whenever the state (e.g.,connection up, or connection down) of the VPN connection changes. Atstartup, the PEP peers 101, 107 do not attempt to bring up the PEPconnections 109, 111 until informed by the VPN peers 103, 105 that theVPN connection has been successfully established. In addition, if theVPN connection fails, for example, because communication between the twosites A and B is interrupted by a network failure (either in the accessnetwork 115 or the public network 117), the PEP peers 101, 107 bringdown the PEP connections 109, 111 when the VPN peers 103, 105 providesnotification of the VPN connection failure. In addition to preventingwaste of resources by futile attempts to send PEP messages, thisapproach also allows the PEP function to gracefully terminate any TCPconnections being carried by the PEP connections 109, 111. Without thisintegration of the PEP and VPN functionality, termination would bedelayed, whereby a user's applications may be suspended until a PEPconnection timeout occurs, signaling the detection of the failedcommunication path.

As shown, the private network site B can utilize a firewall 119 that isintegrated with the PEP peer 107. Irrespective of whether the site Bbehaves as a VPN client or server, it is recognized that the PEPfunctionality needs to be situated between the VPN peer 105 and thefirewall 119, thereby ensuring that the firewall 119 can access theunencrypted data. This arrangement also permits the firewall 119 to haveaccess to the data after the packet has been restored back to native TCPso that the firewall 119 can properly provide access control checking onthe restored TCP connections and packets. Specifically, the firewall 119controls the types of packets entering and leaving the PEP peer 101,using a number of methods, including packet filtering, proxy service,and stateful inspection, for example. The firewall 119 can apply variousfilters, which can be based on IP address, domain name, communicationprotocol, and port, for example.

It is noted that fixed, “always on” connectivity can be provided foradministrative or resource reasons, such that it is desirable for thePEP connection 109, 111 to not be “always on,” even though the VPNconnection is “always on.” An example scenario in which such anarrangement is desirable is shown in FIG. 4 and involves a Very SmallAperture Terminal (VSAT) satellite network with a hub terminal (or hubsite) that supports thousands (or even hundreds of thousands) of remoteterminals (or remote sites). Permanent PEP connections between the hubsite and all of the remote sites require sufficient resources at the hubsite to support all of these PEP connections at the same time. However,a remote site may only be active (i.e., passing traffic across thenetwork) at different times and only some of the time. In such a case,it is desirable (e.g., for cost reasons) to limit the resources requiredfor PEP connections at the hub site to only sufficient resources tosupport the maximum number of remote sites that may be active at thesame time. In support of this requirement, the PEP function, asperformed by the PEP peers 101, 107, supports the ability to bring upthe PEP connection when triggered by the need to carry a TCP connection(session or stream) between the two sites over a secure (or encrypted)tunnel, as described below in FIG. 2.

FIG. 2 shows a flowchart of a process for establishments of a PEPconnection and VPN connection, according to an embodiment of the presentinvention. It is noted that network acceleration can be performedwithout the need for a secure environment. That is, not every PEPconnection has to be carried over a VPN tunnel. In step 201, adetermination is made whether a particular PEP connection is supportedover a VPN connection by consulting, for example, a routing table. Useof the routing table is more fully described later with respect to FIG.12. With the integration of the PEP function and VPN function providedby an embodiment of the present invention, the PEP function, prior toactually attempting to bring up the PEP connection, checks the currentstatus of the VPN connection, as in step 203. Next, the PEP peer 101,107 determines whether a VPN connection exists (step 205). If no VPNconnection exists, then the PEP peer 101, 107 waits for notificationfrom the VPN 103, 105 that a successful VPN connection has beenestablished (step 207). If the VPN connection is up, the PEP connectionis established, per step 209.

Continuing with the example of a VSAT network, if a remote is not alwaysactive, the likely scenario is a desire to also not have the VPNconnection active when it is not needed since VPN connections alsoconsume network and computing resources. In support of this option, thepresent invention, according to one embodiment, also includes thecapability for the PEP function to trigger the setting up of the VPNconnection, similar to the way traffic triggers the setting up of thePEP connection. The network 100, in an example embodiment, has thecapability to selectively configure the VPN peers 103, 105 and the PEPpeers 101, 107 to support a permanent VPN connection and/or a permanentPEP connection. It is noted that a permanent PEP connection cannot betruly permanent unless the VPN connection is permanent. Configuring thePEP connection as permanent, however, even when the VPN connection isnot permanent allows the network 100 to effectively implement thecapability of the PEP function to be triggered by the VPN function.Therefore, if no VPN connection exists, then, per step 207, the PEP peer101, 107 waits for the VPN peer 103, 105 to notify it of the success orfailure of VPN connection establishment via a status query mechanism;when the VPN connection is successfully established, the PEP functionproceeds to establish the PEP connection. In other words, for example,the VPN peer 103 can communicate status information to the PEP peer 101continually (on an automatic basis) or upon submission of a query by thePEP peer 101.

This flexibility advantageously permits the service provider to tradethe cost of the infrastructure required to support permanent VPN and PEPconnections against the potential increase in service revenue possibleby providing the permanent connections to eliminate the initial latencyexperienced by the user when the user first becomes active.

When a PEP connection 109, 111 is not ready when user traffic starts,either because the PEP connection 109, 111 is not permanent or becausethe PEP function is waiting for the VPN connection to establish, thenetwork 100 can make use of the PEP functionality, for example, to spoofthe TCP three-way handshake, if desired. Accordingly, this mechanismprevents a host (e.g., user's PC (Personal Computer) or other client,such as a Personal Digital Assistant (PDA)) from timing out, while theVPN (if necessary) and PEP connections are being established.

FIG. 3 is a diagram of a communications system capable of employingintegrated VPN and PEP technologies, according to an embodiment of thepresent invention. As seen in the figure, a host 301 attaches to a localnetwork 303, which has connectivity to a terminal 305. The terminal 305serves an access terminal to an access network 307. A gateway 309 existsto connect the access network 307 to the Internet 311 (or any publicpacket switched network). The Internet supports a server 313, which canbe a web server, for example.

A VPN server 315, which provides VPN functionalities, communicates witha performance enhancing proxying (PEP) gateway 317. The VPN server 315can support multiple VPN tunnels; typically, one tunnel is employed perprivate network site. In an example embodiment, the VPN server 315 canbe integrated with a router to connect to the Internet 311 for routingpackets across one or more VPN tunnels over the Internet 311.

The PEP gateway 317 has connectivity to an intranet 319, in which aserver 321 is a part of the network 319. Additionally, a value-added VPNserver 323 supports one or more value-added services, such as PEP,quality-of-service (QoS), policy control, etc., as detailed with respectto FIG. 8. The value-added VPN server 323 is attached to an intranet325, which has a server 327 storing content that may be of interest tothe host 301.

In addition, a variety of host-to-host connectivity configurations canbe supported by the system of FIG. 3, for example, including VPN and PEPfunctionality in each host; VPN and PEP functionality in the terminalsin front of each host; and VPN and PEP functionality in one host and inthe terminal of the other host. As will be explained more fully in FIGS.7-16, the PEP function and the VPN function can be implemented innumerous ways among the network elements.

The PEP gateway 317 and the VPN server 315 can support PEP and VPNconnections that are not “always on.” For example, a “hot spot” accesspoint (e.g., a wireless local area network 328), provided as a servicein public areas such as airport lobbies, libraries, etc., can be used bya mobile host 329 (e.g., user's PC or other client) to login in acrossthe access network 307 to the user's company intranet 319 to retrieveinformation from the server 321. Connectivity to the access point can bewireless. In such a case, security can be provided from the mobile host329 back to the company intranet 319. Because the user's traffic isexposed by the wireless network (328), security cannot just be providedfrom the access point to the intranet 319. And, even in the case of awired connection, because the access point is located in a public place,the user has no assurance that the “wire” is not tapped or otherwisecompromised. However, because the mobile host 329 can be equipped withVPN functionality, the communication is secured, irrespective of whetherthe access is wired or wireless.

By integrating the PEP function and the VPN function, the presentinvention, according to one embodiment, can employ the PEP function intothe mobile host 329 (e.g., PC, PDA, etc.), essentially external to theVPN connection. Under this arrangement, the user's traffic remainssecure, as the PEP function does not need to expose the user traffic togain the benefit of VPN functionality.

In this environment, both the VPN and PEP connections will not bepermanent, by definition. The integration of the PEP function and theVPN function provides several options for configuring the method used toestablish the PEP and VPN connections. One method, which is consistentwith how VPN connections are traditionally established, involves theuser explicitly requesting that the VPN connection be established, forexample, by starting up the VPN client on the mobile host 329. Accordingto one embodiment of the present invention, this functionality isextended to also bring up the PEP connection after the VPN connectionhas been established, as explained earlier with respect to FIG. 2.

An alternative method of establishing the PEP and VPN connectionsinvolves the user generating traffic to automatically invoke the PEPfunction as to trigger the creation of the VPN connection and the PEPconnection. Conventionally, this approach is not viable because theuser's connection will time out while waiting for the VPN connection toestablish. The TCP connection spoofing provided by the PEP functionaccording to an embodiment of the present invention, however, will keepthe TCP connection from timing out while the VPN and PEP connections areestablished.

Example VPN standards include IPSEC (IP Security Protocol), Layer 2Tunneling Protocol (L2TP), and Point-to-Point Tunneling Protocol (PPTP).IPSEC is a standard for Virtual Private Networking, which has beendeveloped by the Internet Engineering Task Force (IETF) and has beenendorsed by many industry experts as providing a high level of security.The IPSEC protocol encompasses a number of standards and Request forComments (RFCs) by the Internet Engineering Task Force (IETF). Forinstance, these RFCs include RFC 2401-2411 and 2451 (which areincorporated herein by reference in their entireties). Notably, IPSECintroduces new headers between the IP header and the TransmissionControl Protocol (or User Datagram Protocol): an Authentication header(AH), and an Encapsulating Security Payload (ESP). The high level ofsecurity stems, for example, from the fact a network service provider isnot able to view the data and other encryption protocol standards areless mature (i.e., have not been well studied or tested).

II. Satellite Access Network

FIG. 4 is a diagram of an example access network utilized in the systemof FIG. 3. An access network 307 provides individual hosts 405 (of whichonly a single host is shown) or whole sites with connectivity to apublic network 409 (and the hosts 411 accessible on that network), suchas the Internet. It is recognized that when the access network 307 isconfigured as a wireless network, the network 307 provides directcommunication from terminal to terminal, but typically routes datadestined for the public network 409 through a gateway-type device. Inthe case of a VSAT system, the access network 307 provides connectivityvia a satellite 401 between a remote terminal 403 and a hub terminal407. The hub terminal 407, in this example, serves as a gateway to thepublic network 409.

Under this satellite environment, use of the integrated PEP and VPNfunctions permits a PEP connection to be “always on” to minimize theimpact of the latency of the network 307, even though no VPN connectionis established (as discussed earlier).

The network 307 can be implemented as other wireless systems (e.g.,radio networks, cellular networks, etc.). For example, the network 307can be a third generation mobile phone system; in this scenario, host405, which executes a TCP/IP stack to access the public network 309 canbe integrated with the terminal 403. Alternatively, a local area network(not shown) can provide connectivity for one or more hosts 405 to theterminal 403.

Furthermore, the host 405, according to another embodiment of thepresent invention, can be connected to the terminal 403 via a peripheralinterface such as a Universal Serial Bus (USB) interface or an RS-232interface in a manner that the terminal 403 is a peripheral of the host405.

The access network 307, in an example embodiment, supportsinternetworking using the TCP/IP stack. Given the many drawbacks thatinhere in TCP, a Performance Enhancing Proxying (PEP) mechanism isutilized to reduce or minimize these drawbacks, particularly in asatellite communication system.

III. Network Acceleration Functions

FIG. 5 is a diagram of example PEP functionality employed in the systemof FIG. 1, according to one embodiment of the present invention. In thisembodiment, the PEP peer 101 (as well as the PEP peer 107 of FIG. 1) isimplemented, for example, in a platform environment, which includes thehardware and software operating system. The PEP peer 101 uses a networkinterface 501 to exchange TCP packets with the host 301 (FIG. 3). Also,the PEP peer 101 utilizes the interface 503 to establish and maintainbackbone connections, for instance, with the value-added VPN server 323via the VPN peer 103. The PEP peer 101 uses the network interface 501 toexchange TCP packets with the host 301 (FIG. 3). Also, the PEP peer 101utilizes the VPN interface 503 to establish and maintain backboneconnections, for instance, with the value-added VPN server 323 via theVPN peer 103. The PEP peer 101 can be deployed strictly as a software(or firmware) module, encompassing some or all of the followingcomponents, which are detailed below: a routing module 505, a buffermanagement module 507, an event management module 509, a parametermanagement module 511, a TCP spoofing kernel 513, a backbone protocolkernel 515, a prioritization kernel 517, a path selection kernel 519,and a data compression kernel 521.

The PEP peer 101 intercepts a TCP connection's packet and locallyacknowledges that packet and then transports the packet to its PEP peer107 via a protocol which is designed in such a way as to overcome and/orreduce the limitations of conventional TCP/IP networks. The optimizedprotocol is referred to as a “backbone protocol” and a “backboneconnection” (or PEP connection) refers to this protocol connecting apair of PEP peers 101, 107. As used herein, “backbone” connectiondenotes a PEP connection over an access network (e.g., network 307) thatcan serve as a backbone network; however, because a PEP connection canbe established between PEP peers 101, 107 over any type of network, theterm “PEP connection” is used synonymously with “PEP backboneconnection” or “backbone connection.”

The optimized protocol can be a protocol that resembles TCP, but whichrelaxes TCP's performance inhibitors, such as TCP slow start, defaultsmall window size, and frequent sending of acknowledgement packets. Thisapproach is detailed in U.S. Pat. No. 6,161,141 to Dillon, entitled“Network System with TCP/IP protocol Spoofing,” which is incorporatedherein in its entirety. In such a case, each TCP connection correspondsto a single PEP backbone connection.

Alternatively the optimized protocol can differ from TCP and includecapabilities not present in TCP, such as compression, selectiveretransmission and etc. In this arrangement, a single PEP backboneconnection can be assigned to each TCP connection, or a single backboneconnection can multiplex data from multiple TCP connections.

Under certain circumstances, more than one backbone connection existsbetween two PEP peers and is used to prioritize TCP connections so thathigher-priority TCP connections can receive a preferred throughput orresponse time quality of service compared to lower-priority connections.Optimization of PEP connections that traverse different types ofnetworks can be achieved via configuration or via dynamic determinationof network characteristics, such as latency and maximum throughput, bythe PEP peers 101, 107.

A. Automatic Tuning to Network Characteristics

According to an embodiment of the present invention, the PEP functionsof the PEP peers (or end points) 101, 107 can be performed adaptively.As noted, the performance of PEP is controlled by several parameters,including backbone protocol window size, TCP window size, ACK delay andretransmission delay. These parameters can be configured in advance.However, if multiple connections are to be supported, the memory isshared between the connections. The memory can either be staticallyallocated to a pre-configured maximum number of connections, ordynamically allocated to connections as needed. For the purposes ofexplanation, the adaptive capability of the PEP functions is describedwith respect to window sizes. Window size determines maximum throughputand is dependent on the available memory in the end points.

Dynamic allocation is more complex and can potentially lead toover-commitment of resources and loss of data. The ACK delay helps toreduce the number of acknowledgements and thus the bandwidth requiredfor acknowledgements. However, increasing the delay increases theend-to-end latency. The retransmission delay depends on queue latencyand end-to-end latency and helps to determine when the link has failed.If it is too large, the application will seem slow when packets are lostbecause of the long period before retransmission. However, the delayshould be of sufficient duration to account for the end-to-end latencyincluding the ACK delay.

If the PEP peers 101, 107 are implemented in a well-defined network,e.g., a satellite network of FIG. 4 with a fairly static number of hostsor users at each end point, the PEP parameters can be calculated andstatically configured. That is, since the channel throughput andapproximate number of users is known, the expected number of connectionscan be estimated and the window size can be calculated and configured.The network latency is known and so the ACK delay and retransmissioninterval can be calculated.

If PEP is implemented in a (mobile) host or in the end point of anetwork with unknown delay and unknown throughput, it may be difficultto configure the PEP parameters. It is particularly hard topre-configure delay parameters if the delay is unknown and may be highlyvariable; e.g., in a mobile host that is used at different times onsatellite networks and terrestrial networks. Therefore, in this scenariothe parameters need to be controlled automatically by the end pointbased on measurements of the network, or explicit notifications from thenetwork. The algorithm needs to know the throughput and round trip time(RTT). RTT can be estimated, for example, at connection start up orconstantly monitored throughout the connection. Throughput can beestimated by the user or measured and then parameters adjusted.

Alternatively, if the network can indicate RTT and throughput (orbandwidth) through a Quality-of-Service (QoS) indication, these can beused to configure the parameters. An appropriate protocol can beimplemented to allow the PEP peer 101 to query the network forinformation about the communication path, for example, RTT andthroughput. If the network supports this protocol, it responds.Otherwise the PEP peer 101 will not receive a response and so falls backto a default configuration after some timeout expires.

After an initial value is determined, the RTT can be estimated duringdata transfer by a number of methods. The most recent RTT estimate canbe used to adjust PEP parameters as necessary, e.g. increase the windowas RTT increases.

The PEP peer 101 starts with an estimation of throughput—either based onexplicit notification from the network in the response message, or basedon a default value, or a user controlled value, e.g. when the user knowsthe configuration of the network. The transmitter can probe to see ifthe available throughput is higher than the current estimate, i.e., tryto push more data. If congestion occurs, e.g. the actual bandwidth islower, or the network indicates congestion; the transmitter “shrinks”its backbone connection window. This is similar to the operation of TCP,which uses a mechanism called “multiplicative decrease.” If data islost, it assumes this is due to congestion and it reduces its window(congestion window) by half.

Alternatively receiver based tuning can be performed to enhance thenetwork performance. The receiver can control the PEP backbone protocolreceive window. Again the window is initially set based on eitherexplicit notification from the network in the response message, or basedon a default value, or a user controlled value. The receiver canincrease the window in an attempt to increase throughput and shrink thewindow it if congestion is detected. The receiver can use informationprovided by the network, e.g., queue latency indication from the networkas implemented in a satellite gateway, or explicit congestionnotification (ECN) from network routers. IETF RFC 2481, which isincorporated herein by reference in its entirety, describes a techniquefor adding Explicit Congestion Notification (ECN) to IP, whereby routersset a bit called Congestion Encountered (CE) in the Type Of Service(TOS)/Differentiated Services (DS) field of the IP header to indicatecongestion. This can be forwarded on to the receiver by routers in thenetwork.

It may be advantageous to have the receiver perform congestion controlrather than the transmitter. In certain network configurations, theremay not be a path back to the transmitter; e.g., one-way or asymmetricnetworks. In a VPN environment, there may be a security issue where theserver side might not accept information from the network. With explicitcongestion notification (ECN), the receiver may have a better indicationof congestion than the transmitter. It is recognized that the receivershould pass the indication back to the transmitter, but clearly thereceiver has the better view. Different PEP peers may be runningdifferent versions of software with various functions, such that thetransmitter might not support these functions.

The selection of receiver based tuning or transmitter based tuning canbe negotiated by the PEP peers 101, 107 when the PEP connection isestablished. Each PEP peer 101 can indicate whether it has access tocongestion information to help decide. Depending on the network, the PEPpeers 101, 107 could use the methods concurrently, singly, or incombination.

The above tuning operation as described focuses on the window sizes.However other parameters such as ACK delay and retransmission delaycould also be tuned as necessary based on the estimation of RTT anddetection of congestion.

While various embodiments of the present invention have been explainedwith respect to the TCP protocol, other protocols can similarly havetheir performance or efficiency improved by a suitable PEP. Anotherprotocol that can be “PEPed” for performance improvement is thePoint-to-Point Protocol (PPP) (with the performance enhancement of itsconnection establishment) when operating over IP via protocols such asthe Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 TunnelingProtocol (L2TP). Compression, in particular, is applicable to manyprotocols. Accordingly, the various embodiments of the present inventionare not limited to TCP PEP. Moreover, it is noted that the advantages ofPEP, and network acceleration in general, stems from the recognitionthat the network acceleration technique needs to be “outside” of the VPNtunnel.

For example, in the system of FIG. 3, if the terminal 305 includes thePEP and VPN functionality, the terminal 305 establishes TCP connectionswith the IP host 301, via the network interface 501, and can establishbackbone connection(s) with the value-added VPN server 323 via thenetwork interface 503. The PEP peer platform environment 101 also caninclude general functional modules, such as routing module 505, buffermanagement module 507, event management module 509, and parametermanagement module 511.

As illustrated in FIG. 5, the PEP peer 101 also includes a TCP spoofingkernel 513, a backbone protocol kernel 515, a prioritization kernel 517,and a path selection kernel 519. These four kernels constitute the basicfunctionalities of the PEP peers 101, 107.

Although not shown, the PEP peer 101 performs a number of functionsbeyond the modules and kernels shown, such as shielding the various PEPkernels 513, 515, 517, 519 from implementation specific constraints.That is, the PEP peer 101 performs functions that the various PEPkernels 513, 515, 517, 519 cannot perform directly because theimplementation of the function is platform specific. This arrangementhas the advantageous effect of hiding platform specific details from thePEP kernels 513, 515, 517, 519, making the PEP kernels more portable.

An example of a platform specific function is the allocation of abuffer. In some platforms, buffers are created as they are needed, whilein other platforms, buffers are created at start-up and organized intolinked lists for later use. It is noted that platform specific functionsare not limited to functions generic to all of the kernels 513, 515,517, 519. A function specific to a particular kernel, for example, theallocation of a control block for TCP spoofing, can also be implementedin the PEP peer platform environment 101 to hide platform specificdetails from the kernel.

Additionally, the PEP peer 101 can provide the task context in which thePEP kernels 513, 515, 517, 519 run. In one example embodiment, all PEPkernels 513, 515, 517, 519 can run in the same task context forefficiency. However, this is not required.

Furthermore, the PEP peer platform environment 101, in an exampleembodiment, provides an interface between the PEP functionality(embodied in kernels 513, 515, 517, 519) and the other functionality ofthe network components. The PEP peer platform environment 101 canprovide the interface between the PEP functionality and the routingmodule 505, as seen in FIG. 5. It is noted that the platform specificfunctions illustrated in FIG. 5 are examples and are not considered anexhaustive list. It is further noted that the PEP kernels shown adjacentto each other (513, 515 and 517, 519) in FIG. 5 can have a directprocedural interface to each other. Further, the kernels 513, 515, 517,519 can include direct interfaces to improve performance, as opposed torouting everything through the PEP peer platform environment 101.

In addition to the PEP kernels 513, 515, 517, and 519, the PEP peer 101can utilize a data compression kernel 521 to improve bandwidthefficiency. These kernels 513, 515, 517, 519, and 521, as describedabove, facilitate communication between the two groups of hosts, byperforming a variety of performance enhancing functions, either singlyor in combination. These performance enhancing functions includeselective TCP spoofing, three-way handshake spoofing, local dataacknowledgement, TCP connection to backbone connection multiplexing,data compression/encryption, prioritization, and path selection.Selective TCP Spoofing is performed by the TCP spoofing kernel 513 andincludes a set of user configurable rules that are used to determinewhich TCP connections should be spoofed.

B. TCP Spoofing

Selective TCP spoofing improves performance by not tying up TCPspoofing-related resources, such as buffer space, control blocks, etc.,for TCP connections for which the user has determined that spoofing isnot beneficial or required and by supporting the use of tailoredparameters for TCP connections that are spoofed.

In particular, the TCP spoofing kernel 513 discriminates among thevarious TCP connections based on the applications using them. That is,TCP spoofing kernel 513 discriminates among these TCP connections todetermine which connection should be spoofed as well as the manner inwhich the connection is spoofed; e.g., whether to spoof the three-wayhandshake, the particular timeout parameters for the spoofedconnections, etc. TCP spoofing is then performed only for those TCPconnections that are associated with applications for which highthroughput or reduced connection startup latency (or both) is required.As a result, the TCP spoofing kernel 513 conserves TCP spoofingresources for only those TCP connections for which high throughput orreduced connection startup latency (or both) is required. Further, theTCP spoofing kernel 513 increases the total number of TCP connectionswhich can be active before running out of TCP spoofing resources, sinceany active TCP connections which do not require high throughput are notallocated resources.

One criterion for identifying TCP connections of applications for whichTCP spoofing should and should not be performed is the TCP port numberfield contained in the TCP packets being sent. In general, unique portnumbers are assigned to each type of application. Which TCP port numbersshould and should not be spoofed can be stored in the TCP spoofingkernel 513. The TCP spoofing kernel 513 is also re-configurable to allowa user or operator to reconfigure the TCP port numbers which should andshould not be spoofed. The TCP spoofing kernel 513 also permits a useror operator to control which TCP connections are to be spoofed based onother criteria. In general, a decision on whether to spoof a TCPconnection can be based on any field within a TCP packet. The TCPspoofing kernel 513 permits a user to specify which fields to examineand which values in these fields identify TCP connections that should orshould not be spoofed. Another example of a potential use for thiscapability is for the user or operator to select the IP address of theTCP packet in order to control for which users TCP spoofing isperformed. The TCP spoofing kernel 513 also permits a user to look atmultiple fields at the same time. As a result, the TCP spoofing kernel513 permits a user or operator to use multiple criteria for selectingTCP connections to spoof. For example, by selecting both the IP addressand the TCP port number fields, the system operator can enable TCPspoofing for only specific applications from specific users.

The user configurable rules can include five example criteria which canbe specified by the user or operator in producing a selective TCPspoofing rule: Destination IP address; Source IP address; TCP portnumbers (which can apply to both the TCP destination and source portnumbers); TCP options; and IP type of service (TOS)/differentiatedservices (DS) field. However, as indicated above, other fields withinthe TCP packet can be used.

As discussed above, in addition to supporting selective TCP spoofingrules for each of these criterion, AND and OR combination operators canbe used to link criteria together. For example, using the ANDcombination operator, a rule can be defined to disable TCP spoofing forFTP data received from a specific host. Also, the order in which therules are specified can be significant. It is possible for a connectionto match the criteria of multiple rules. Therefore, the TCP spoofingkernel 513 can apply rules in the order specified by the operator,taking the action of the first rule that matches. A default rule canalso be set which defines the action to be taken for TCP connectionswhich do not match any of the defined rules. The set of rules selectedby the operator can be defined in a selective TCP spoofing selectionprofile.

As an example, assuming sufficient buffer space has been allocated tospoof five TCP connections, if four low speed applications (i.e.,applications which, by their nature, do not require high speed) bring upconnections along with one high speed application, the high speedconnection has access to only ⅕ of the available spoofing buffer space.Further, if five low speed connections are brought up before the highspeed connection, the high speed connection cannot be spoofed at all.Using the TCP spoofing kernel 513 selective spoofing mechanism, the lowspeed connections are not allocated any spoofing buffer space.Therefore, the high speed connection always has access to all of thebuffer space, improving its performance with respect to animplementation without the selective TCP spoofing feature of the TCPspoofing kernel 513.

The TCP spoofing kernel 513 also facilitates spoofing of the connectionestablishment three-way handshake. Three-Way Handshake Spoofing involveslocally responding to a connection request to bring up a TCP connectionin parallel with forwarding the connection requests across a backbonelink through the VPN tunnel 113. This allows the originating IP host(for example, 301) to reach the point of being able to send the data itmust send at local speeds, i.e., speeds that are independent of thelatency of the backbone link. Three-way Handshake Spoofing allows thedata that the IP host 301 needs to send to be sent to the destination IPhost (e.g. the server 327) without waiting for the end-to-endestablishment of the TCP connection. For backbone links with highlatency, this significantly reduces the time it takes to bring up theTCP connection and, more importantly, the overall time it takes to get aresponse (from an IP host) to the data the IP host 301 sends.

A specific example in which this technique is useful relates to anInternet web page access application. With three-way handshake spoofing,an IP host's request to retrieve a web page can be on its way to a webserver (e.g., the server 327) without waiting for the end-to-endestablishment of the TCP connection, thereby reducing the time it takesto download the web page.

With Local Data Acknowledgement, the TCP spoofing kernel 513 locallyacknowledges data segments received from the IP host 301. This allowsthe sending IP host 301 to send additional data immediately. Moreimportantly, TCP uses received acknowledgements as signals forincreasing the current TCP window size. As a result, local sending ofthe acknowledgements allows the sending IP host 301 to increase it TCPwindow at a much faster rate than supported by end to end TCPacknowledgements. The TCP spoofing kernel 513 (e.g., the spoofer) takeson the responsibility for reliable delivery of the data that it hasacknowledged.

In the backbone protocol kernel 515, multiple TCP connections aremultiplexed onto and carried by a single backbone connection. Thisimproves system performance by allowing the data for multiple TCPconnections to be acknowledged by a single backbone connectionacknowledgement (ACK), significantly reducing the amount ofacknowledgement traffic required to maintain high throughput across thebackbone link. In addition, the backbone protocol kernel 515 selects abackbone connection protocol that is optimized to provide highthroughput for the particular link. Different backbone connectionprotocols can be used by the backbone protocol kernel 515 with differentbackbone links without changing the fundamental TCP spoofingimplementation. The backbone connection protocol selected by thebackbone protocol kernel 515 provides appropriate support for reliable,high speed delivery of data over the backbone link, hiding the detailsof the impairments (for example high latency) of the link from the TCPspoofing implementation.

The multiplexing by the backbone protocol kernel 515 allows for the useof a backbone link protocol which is individually tailored for use withthe particular link and provides a technique to leverage the performanceof the backbone link protocol with much less dependency upon theindividual performance of the TCP connections being spoofed thanconventional methods. Further, the ability to tailor the backboneprotocol for different backbone links makes the present inventionapplicable to many different systems.

The PEP peer 101 can optionally include a data compression kernel 521for compressing TCP data, which advantageously increases the amount ofdata that can be carried across the backbone connection. Differentcompression algorithms can be supported by the data compression kernel521 and more than one type of compression can be supported at the sametime. The data compression kernel 521 can optionally apply compressionon a per TCP connection basis, before the TCP data of multiple TCPconnections is multiplexed onto the backbone connection or on a perbackbone connection basis, after the TCP data of multiple TCPconnections has been multiplexed onto the backbone connection. Whichoption is used is dynamically determined based on user configured rulesand the specific compression algorithms being utilized. Example datacompression algorithms are disclosed in U.S. Pat. Nos. 5,973,630, and5,955,976, the entire contents of which are hereby incorporated byreference.

C. Connection Prioritization

The prioritization kernel 517 provides prioritized access to thebackbone link capacity. For example, the backbone connection canactually be divided into N (N>1) different sub-connections, each havinga different priority level. In one example embodiment, four prioritylevels can be supported. The prioritization kernel 517 uses user-definedrules to assign different priorities, and therefore differentsub-connections of the backbone connection, to different TCPconnections. It should be noted that prioritization kernel 517 can alsoprioritize non-TCP traffic (e.g., UDP (User Datagram Protocol) traffic)before sending the traffic across the backbone link.

The prioritization kernel 517 also uses user-defined rules to controlhow much of the backbone link capacity is available to each prioritylevel. According to one embodiment of the present invention, multiplePEP backbone connections can be utilized and respectively mapped todifferent priority levels by the prioritization kernel 517. Examplecriteria which can be used to determine priority include the following:Destination IP address; Source IP address; IP protocol; TCP port numbers(which can apply to both the TCP destination and source port numbers);UDP port numbers (which can apply to both the UDP destination and sourceport numbers); and IP type of service (TOS)/differentiated services (DS)field. The type of data in the UDP or TCP data packets can also be usedas a criterion. For example, video data could be given highest priority.Mission critical data could also be given high priority. As withselective TCP spoofing, any field in the IP packet can be used byprioritization kernel 517 to determine priority.

As mentioned above, in addition to supporting selective prioritizationrules for each of these criteria, AND and OR combination operators canbe used to link criteria together. For example, using the ANDcombination operator, a rule can be defined to assign a priority forSNMP data received from a specific host. Also, the order in which therules are specified can be significant. It is possible for a connectionto match the criteria of multiple rules. Therefore, the prioritizationkernel 517 can apply rules in the order specified by the operator,taking the action of the first rule that matches. A default rule canalso be set which defines the action to be taken for IP packets which donot match any of the defined rules. The set of rules selected by theoperator can be defined in a prioritization profile.

For prioritization to operate effectively with the VPN function,information regarding prioritization of a packet needs to be visible tothe terminal 305 (FIG. 3), as the terminal 305 is responsible forscheduling that packet's transmission across the access network 307. Inone embodiment of the present invention, the PEP peer 101 provides anindication of the priority of a backbone connection to the VPN peer 103so that the VPN peer 103 can encode this priority information in theunencrypted header of the backbone's tunneled packets. This approachallows the terminal 305 to determine the priority of the packets and tohonor this prioritization when forwarding the packets across the accessnetwork 307. In an example embodiment, the prioritization is encoded inthe Type Of Service (TOS) bits of the backbone packet's IP header field.IETF RFCs 1340 and 1349, which are incorporated herein in theirentireties, provide details regarding how prioritization can be encodedin this field. The VPN peer 103 copies a packet's TOS field into thetunneled packet's outer, unencrypted IP header's TOS field, therebymaking the prioritization available to the terminal 305 in astandards-compliant fashion.

Alternatively, the DS field can be used to capture prioritizationinformation. Differentiated Services functions are more fully describedin IETF RFCs 2475 and 2474, which are incorporated herein in theirentireties.

In regards to the path selection functionality, the path selectionkernel 519 is responsible for determining which path an IP packet shouldtake to reach its destination. The path selected by the path selectionkernel 519 can be determined by applying path selection rules. The pathselection kernel 519 also determines which IP packets should beforwarded using an alternate path and which IP packets should be droppedwhen one or more primary paths fail. Path selection parameters can alsobe configured using profiles. The path selection rules can be designedto provide flexibility with respect to assigning paths while making surethat all of the packets related to the same traffic flow (e.g., the sameTCP connection) take the same path (although it is also possible to sendsegments of the same TCP connection via different paths, this segment“splitting” can have negative side effects). Example criteria that canbe used to select a path include the following: priority of the IPpacket as set by the prioritization kernel 517 (should be the mostcommon criterion); Destination IP address; Source IP address; IPprotocol; TCP port numbers (which can apply to both the TCP destinationand source port numbers); UDP port numbers (which can apply to both theUDP destination and source port numbers); and IP type of service(TOS)/differentiated services (DS) field. Similar to selective TCPspoofing and prioritization, the path selection kernel 517 can determinea path by using any field in the IP packet.

As with the prioritization criteria (rules) the AND and OR combinationoperators can be used to link criteria together. For example, using theAND combination operator, a rule can be defined to select a path forSNMP data received from a specific host. Also, the order in which therules are specified can be significant. It is possible for a connectionto match the criteria of multiple rules. Therefore, the path selectionkernel 519 can apply rules in the order specified by the operator,taking the action of the first rule that matches. A default rule canalso be set which defines the action to be taken for IP packets which donot match any of the defined rules. The set of rules selected by theoperator can be defined in a path selection profile.

By way of example, a path selection rule can select the path based onany of the following path information in which IP packets match therule: a primary path, a secondary path, and a tertiary path. The primarypath is be specified in any path selection rule. The secondary path isused only when the primary path has failed. If no secondary path isspecified, any IP packets that match the rule can be discarded when theprimary path fails. The tertiary path is specified only if a secondarypath is specified. The tertiary path is selected if both the primary andsecondary paths have failed. If no tertiary path is specified, any IPpackets that match the rule can be discarded when both the primary andsecondary paths fail. Path selection can be generalized such that thepath selection rule can select up to N paths where the Nth path is usedonly if the (N−1)th path fails. The example above where N=3 is merelyillustrative, although N is typically a fairly small number.

By way of example, the operation of the system of FIG. 1 is described asfollows. First, a backbone connection is established between the PEPs101, 107 of two network sites (i.e., the two spoofers), located at eachend of the backbone link for which TCP spoofing is desired. Whenever anIP host 301 initiates a TCP connection, the TCP spoofing kernel 513 ofthe PEP peer 101 local to the respective IP host checks its configuredselective TCP spoofing rules. If the rules indicate that the connectionshould not be spoofed, the PEP peer 101 allows the TCP connection toflow end-to-end unspoofed. If the rules indicate that the connectionshould be spoofed, the spoofing PEP peer 101 locally responds to the IPhost's TCP three-way handshake. In parallel, the spoofing PEP peer 101sends a message across the backbone link to its peer 107 asking it toinitiate a TCP three-way handshake with the other IP host on its side ofthe backbone link. Data is then exchanged between the IP hosts with thePEP peer 101 locally acknowledging the received data and forwarding itacross the backbone link via the high speed backbone connection,compressing the data as appropriate based on the configured compressionrules. The priority of the TCP connection is determined when theconnection is established. The backbone protocol kernel 515 canmultiplex the connection with other received connections over a singlebackbone connection, the prioritization kernel 517 determines thepriority of the connection and the path selection kernel 519 determinesthe path the connection is to take.

The PEP peer 101, as described above, advantageously, improves networkperformance by allocating TCP spoofing-related resources, such as bufferspace, control blocks, etc., only to TCP connections for which spoofingis beneficial; by spoofing the three-way handshake to decrease dataresponse time; by reducing the number of ACKs which are transmitted byperforming local acknowledgement and by acknowledging multiple TCPconnections with a single ACK; by performing data compression toincrease the amount of data that can be transmitted; by assigningpriorities to different connections; and by defining multiple paths forconnections to be made. Further details of the operation of the PEP peer101 is described in co-pending U.S. patent application field on Jul. 12,2001 (Ser. No. 09/903,832), entitled “Method and System for ImprovingNetwork Performance Using a Performance Enhancing Proxy Architecture.”

As mentioned previously, in addition to PEP functionalities, othernetwork acceleration techniques can also be integrated with VPN. Forexample, a different proxy architecture supports HyperText TransferProtocol (HTTP) prefetching, Domain Name Service (DNS) caching, andLayer 4 (L4) switching to improve user response time. To appreciatethese network acceleration techniques, it is instructive to describe theoperation of web content retrieval.

Web pages are formatted according to the Hypertext Markup Language(HTML) standard which provides for the display of high-quality text(including control over the location, size, color and font for thetext), the display of graphics within the page and the “linking” fromone page to another, possibly stored on a different web server. The host301, for example, is loaded with a web browser (e.g., Microsoft InternetExplorer, Netscape Navigator) to access the web pages that are residenton a web server 313; collectively the web pages and the web server 313denote a “web site.” A terminal 305 may be provided to increase systemperformance by supporting such functions as HyperText Transfer Protocol(HTTP) proxying and Domain Name Service (DNS) proxying. HTTP is anapplication level protocol that is employed for information transferover the Internet 311. RFC (Request for Comment) 2618 specifies thisprotocol and is incorporated herein in its entirety. As with PEP, theseproxies are executed in the clear.

The user enters or specifies a URL to the web browser of the host 301,which in turn requests a URL from the web server 313. The host 301 mayneed to retrieve an Internet Protocol (IP) address corresponding to adomain name of the URL from a domain name service (DNS) server 117. Sucha domain name lookup conventionally requires a traversal of the accessnetwork 307 which introduces additional delay. The web server 313returns an HTML page, which contains numerous embedded objects (i.e.,web content), to the web browser.

Upon receiving the HTML page, the web browser parses the page toretrieve each embedded object. The retrieval process requires theestablishment of separate communication sessions (e.g., TCP(Transmission Control Protocol) connections) to the web server. That is,after an embedded object is received, the TCP connection is torn downand another TCP session is established for the next object. Given therichness of the content of web pages, it is not uncommon for a web pageto possess over 30 embedded objects; thereby consuming a substantialamount of network resources, but more significantly, introduces delay tothe user. The establishment of the TCP connection takes one accessnetwork 307 round trip traversal and then the requesting of the URL andreceiving its response takes another round trip traversal. Delay is of aparticular concern in the system 100 if the access network 307, in anexample embodiment, is a satellite network, in that the network latencyof the satellite network is conventionally longer than terrestrialnetworks. To minimize such delay, the system 100 supports HTTP proxyingand/or DNS proxying.

The web browser of the host 301 may be configured to either access URLsdirectly from the web server 313 or from the terminal 305, which acts asa HTTP proxy. As discussed above, a URL specifies an address of an“object” in the Internet 311 by explicitly indicating the method ofaccessing the resource.

The terminal 305 acts as an intermediary between one or more browsersand many web servers (e.g., server 313). The web browser requests a URLfrom the terminal 305 which in turn “gets” the URL from the addressedweb server 313. When the browser is configured to access URLs via aterminal 305, the browser does not need to perform a DNS lookup of theURL's web server because it is requesting the URL from the proxy serverand need only be able to contact the proxy server. The terminal 305 cancache the most frequently accessed URLs. When the web server 313delivers a URL to the terminal 305, the web server 313 may deliver alongwith the URL an indication of whether the URL should not be cached andan indication of when the URL was last modified.

Under this non-PEP network acceleration scheme, the terminal 305supports two proxy agents: a HTTP Proxy and a DNS proxy, and can includea Layer 4 (L4) switch. As used herein, Layer 4 refers to the transportlayer of the OSI (Open Systems Interconnection) model; it is recognized,however, that Layer 4 may denote any equivalent protocol. The DNS Proxyreceives and processes DNS requests. The DNS Proxy handles identicallysuch requests whether they come directly from a client or transparentlyvia the L4 switch. When the DNS Proxy receives a request, the DNS Proxylooks up the domain name in its cache. If the DNS proxy is unable toservice the request from this DNS cache, the DNS Proxy sends out a DNSrequest to the configured DNS server (not shown) and provides theresponse to the requestor (e.g., host 301). The DNS proxy then updatesthe entry in the cache.

Further, the terminal 305 utilizes, in an example embodiment, a TCP/IPstack as well as a network address translation (NAT) function layer. TheNAT layer provides address translation between a private network (i.e.,a stub domain), such as a local area network (LAN) 303, and a publicnetwork, such as the Internet 311. Address translation is necessary whenthe LAN 303 utilizes unregistered IP addresses, for example. The NATfunctions are detailed in Internet Engineering Task Force (IETF) Requestfor Comment (RFC) 1631, entitled “The IP Network Address Translator(NAT),” which is incorporated herein by reference in its entirety.

The Layer 4 switch function, which can be included in a LAN driver(e.g., Ethernet driver), routes all domain name server lookups (i.e.,DNS requests) and HTTP requests traversing the driver up through thestack to their respective proxies. The Layer 4 switch functionidentifies these requests by examining the port number of the packets,and modifies the addresses and ports to redirect the request packets tothe appropriate proxy. It performs a similar function of modifyingpacket address and port fields of response packets from the proxies toroute those responses back to the browser. To accomplish this, the Layer4 switch function also maintains the TCP connection control block. Thisoperation by the Layer 4 switch function is more fully described in U.S.Provisional patent application, entitled “Transparent ProxyingEnhancement” (Ser. No. 60/271,405), which is incorporated herein byreference in its entirety.

FIG. 6 is a diagram of the PEP and VPN functionality integration of FIG.1, according to one embodiment of the present invention. The PEP peer101 that has connectivity to the PEP peer 107 via a backbone connection535 a and 535 b over encrypted tunnel 113 provided by VPN peers 103 and105. By way of example, PEP peers 101 and 107 handle IP packets. PEPpeer 101 includes an internal IP packet routing module 505 a thatreceives local IP packets 525 a and exchanges these packets with a TCPspoofing kernel 513 a and a backbone protocol kernel 515 a. Similarly,the remote PEP peer 107 includes an internal IP packet routing module505 b that is in communication with a TCP spoofing kernel 513 b and abackbone protocol kernel 515 b.

For traffic from the host 301 destined for the access network 307 (i.e.,egress traffic), the PEP peer 101 receives IP packets 525 a from itsnetwork interface 501. Non-TCP IP packets can be forwarded (asappropriate) to the interface 503. TCP segments 527 a are internallyforwarded to TCP spoofing kernel 513 a. TCP segments 529 a which belongto connections that are not to be spoofed are passed back by thespoofing kernel 513 a to the routing module 505 a to be forwardedunmodified to the interface 503. For spoofed TCP connections, the TCPspoofing kernel 513 a locally terminates the TCP connection. TCP data531 a that is received from a spoofed connection is passed from thespoofing kernel 513 a to the backbone protocol kernel 515 a, and thenmultiplexed data 533 a is provided onto the appropriate backboneprotocol connection. The backbone protocol kernel 515 a ensures that thedata 533 a is delivered across the access network 307 as IP packets 535a via the VPN peer 103.

For traffic from the access network 307 (ingress traffic), the PEP peer107 receives IP packets from its interface 503. IP packets that are notaddressed to the end point 107 are simply forwarded (as appropriate) tothe network interface 501. IP packets 535 b addressed to the end point107, which have a protocol header type of “PBP” (PEP Backbone Protocol)are forwarded as data 533 b to the backbone protocol kernel 515 b. Thebackbone protocol kernel 515 b extracts the TCP data and forwards theextracted data 531 b to the TCP spoofing kernel 513 b for transmissionas data 527 b on the appropriate spoofed TCP connection. In addition tocarrying TCP data, the backbone protocol connection is used by the TCPspoofing kernel 513 a to send control information to its peer TCPspoofing kernel 513 b in the remote PEP peer 107 to coordinateconnection establishment and connection termination.

Prioritization “P” can be applied at four points in the system of FIG. 6within routing module 505 a and TCP spoofing kernel 513 a of PEP peer101, and within routing module 505 b, and TCP spoofing kernel 513 b ofPEP peer 107. With egress traffic, priority rules are applied to thepackets of individual TCP connections at the entry point to the TCPspoofing kernel 513 a. These rules allow a user (e.g., customer) tocontrol which spoofed applications have higher and lower priority accessto spoofing resources. Egress prioritization is also applied beforeforwarding packets to the access network 307. This allows a customer tocontrol the relative priority of spoofed TCP connections with respect tounspoofed TCP connections and non-TCP traffic (as well as to control therelative priority of these other types of traffic with respect to eachother). On the ingress side, prioritization is used to control access tobuffer space and other resources in the PEP peer 107, generally and withrespect to TCP spoofing. The PEP peers 101 and 107 and the correspondingVPN functions 103 and 105 can be implemented at various componentswithin the system of FIG. 3, according to various embodiments.

The architecture of FIGS. 5 and 6 provides a number of advantages.First, TCP spoofing can be accomplished for both ingress and egresstraffic. Additionally, the system supports spoofing of TCP connectionstartup, and selective TCP spoofing with only connections that canbenefit from spoofing actually spoofed. Further, the system enablesprioritization among spoofed TCP connections for access to TCP spoofingresources (e.g., available bandwidth and buffer space). Thisprioritization is utilized for all types of traffic that compete forsystem resources.

With respect to the backbone connection, the system is suitable forapplication to a satellite network as the WAN (shown in FIG. 4). Thatis, the backbone protocol is optimized for satellite use in that controlblock resource requirements are minimized, and efficient error recoveryfor dropped packets are provided. The system also provides a feedbackmechanism to support maximum buffer space resource efficiency. Further,the system provides reduced acknowledgement traffic by using a singlebackbone protocol ACK to acknowledge the data of multiple TCPconnections.

As previously described with respect to FIG. 1, a pair of PEP peers 101,107 can be located at the edge of a network that requires enhancement inperformance and/or efficiency. These PEP peers 101, 107 can be locatedin devices or network elements in such a way that they can intercept aTCP connection's packets, as illustrated below in FIG. 7.

FIG. 7 is a diagram of a system capable of deploying PEP functions,according to one embodiment of the present invention. PEP functionality,as shown, can be deployed in a number of network elements. In thisscenario, a terminal 701 supports PEP functions in communicating over anaccess network 703 to a PEP peer within a gateway 705. The PEP functionof the gateway 705 can also interact with a PEP function within a host707 that interfaces with a terminal 709 for access to the network 703.Additionally, the PEP function can reside in a terminal 711, whichserves the host 713. In this manner, the PEP peers within the networkelements 701, 707, 711 can establish PEP connections (i.e., PEP backboneconnections) to the gateway 705, which permits access to the Internet715. For example, the host 713 can retrieve information from server 717(e.g., web server) over the PEP connection between the PEP peers withinthe terminal 711 and the gateway 705 with minimal delay over the accessnetwork 703.

Likewise, hosts 719, which are connected via a local network 721, canaccess the web server 717 off the Internet 715 without great impact fromthe latency of the access network 703 over the PEP connectionestablished by the terminal 701 to the gateway 705. The PEP peer withinthe terminal is transparent to the local network 721, and thus, thehosts 719.

IV. Example VPN and PEP Configurations

FIG. 8 is a diagram of the system of FIG. 3 in which the access terminalhas integrated VPN and PEP functionalities and communicates with theValue-added VPN server, according to an embodiment of the presentinvention. To implement PEP, the PEP function requires access to thepackets to be “PEPed”, that is, the packets that will be transportedover the PEP connection, for example, to traverse the access network307. Also, to properly provide VPN capability, the VPN peers need accessto the packets that are to be tunneled and encrypted. Accordingly, inone embodiment, the terminal 305 includes the PEP and VPN functions,which have the required access to all the packets. The access terminal305 includes integrated PEP and VPN peer components and connects to theaccess network 307 to the access gateway 309 to a communications network311, such as the Internet.

According to one embodiment of the present invention, the system of FIG.8 can include an intelligent access client (e.g., as deployed in theterminal 305) and an intelligent access gateway 309 to support theintegrated VPN and PEP services in the access network 307, which can bea satellite system (e.g., INMARSAT®). For example, the intelligentaccess client can be configured to perform TCP, PEP, and ITU(International Telecommunications Union) V.44 compression. Theintelligent access client can be hosted by any number of computingdevices, such as desktop PC, laptop, Personal Digital Assistant (PDA),cellular phone, IEEE 802.11 client, web appliance, etc.

Similarly, the intelligent access gateway 309 can be configured tosupport TCP, PEP, and ITU V.44 compression (as shown in FIG. 12). Thegateway 309 can also provide load sharing and 1:N redundancy for highavailability. Further, the gateway 309 can interface with a Gateway GPRS(General Packet Radio Service) Serving/Support Node (GGSN) via the Giinterface.

The terminal 305, for example, a VSAT terminal, can be equipped with PEPand VPN peers to provide network performance enhancements and security.The terminal 305 is attached to a local network 303 that serves a host301, which executes a client application (e.g., web browser). One ormore PEP backbone connections between the PEP peer of the terminal 305and the PEP peer of the Value-added VPN server 323 allow TCP connectionsand their VPN data to be carried efficiently and with good performanceacross the access network 307 and the Internet 311.

When a TCP connection is routed through the terminal, the terminal 305passes its packets through the PEP peer where its data is carried by aPEP backbone connection. The packets carried over the PEP backboneconnection are then passed through the VPN peer which tunnels andencrypts the packets. Optionally, the VPN peer can provide packetauthentication to protect against tampering by applying headers to theIP packet.

The VPN peer within the terminal 305 decrypts (and optionallyauthenticates) tunneled packets coming across the access network 307 andtransmits these packets, which are now in the “clear,” to the PEP peer,which then implements the backbone protocol and converts the packetsback into TCP. The terminal 305 then passes the reconstituted TCP framesto the host 301 on the local network 303.

Under this example, the Value-added VPN server 323 includes the abilityto perform PEP and VPN functions, such that traffic from the host 301can securely access the server 327 off the intranet 325. To implementthe value added service, the PEP function within the server 323maintains routing information that maps TCP connections to PEP peers andthen to map PEP backbone connections to the appropriate VPN tunnel. Asdescribed in FIG. 3, the PEP peer to VPN tunnel routing can be performedbased on a routing table, which can be dynamically created or loadedinto the Value-added VPN server 323. Alternatively, routing can beintegrated where there is either one or no peers for each VPN tunnel,and the selection of the VPN tunnel implicitly selects the PEP peer.Under this approach, the integrated routing can either be configuredcompletely or dynamically learned via PEP peer discovery (e.g., by thePEP backbone connection establishment) or by a routing protocol.

In another example of how the PEP and VPN functions can be implemented,a PEP connection and associated VPN tunnel can be established betweenthe host 301 and the server 321 within the intranet 319, as describedbelow.

FIG. 9 is a diagram of the system of FIG. 3 in which the access terminalhas integrated VPN and PEP functionalities and communicates with the VPNserver and the PEP gateway, according to an embodiment of the presentinvention. Under this scenario, secure communications is supported bythe VPN peer within the terminal 305 and the VPN server 315. A VPNtunnel is established between the terminal 305 and the VPN server 315.The client application within the host 301 generates traffic over thelocal network 303 to the terminal 305, which compresses and encrypts thetraffic based on the PEP and VPN functions. This encrypted traffic istransported across the access network 307 to the Internet 311 via thegateway 309. At this point, the VPN server 315 decrypts the traffic fromthe host 301 and forwards the packets to the PEP gateway 317, whichcommunicates with the intranet 319 on which the destination server 321resides.

As stated, a variety of host-to-host connectivity configurations can besupported.

FIGS. 10 and 11 show diagrams of communication systems in which one ormore VPN clients communicate with a terminal having VPN and PEPfunctions, according to various embodiment of the present invention. Insome cases, it may be desirable to not implement the PEP function in theuser's host; accordingly only the VPN function without the PEP functionis loaded in the host, as shown in FIGS. 10 and 11. For instance, if thehost 301 lacks sufficient memory or processing power to support both PEPand VPN functionality, then installing only the VPN peer in the host301, while the PEP function resides in the terminal 305 will not likelyimpact the security and performance advantages of the system. Assumingthe access network 307 poses the potential bottleneck in the system,situating the PEP peers to encompass this network 307 will provide thegreatest performance gain. As discussed previously, the users' do notwant to expose their traffic on the local network 303 (for example,because it is a publicly accessible wireless LAN or because the “wire”might be tapped). Consequently, a segmented VPN connection can beutilized, such that the PEP function is applied in between the segments.In other words, under this arrangement, the VPN connection is considered“segmented” across a PEP connection and a non-PEP connection (i.e.,standard TCP connection). For example, the VPN client in the host 301establishes a VPN tunnel with the VPN peer in the terminal 305, whilethe PEP peer in the terminal 305 operates in conjunction with the PEPpeer in the gateway 309 over the access network 307. The access network307, as discussed earlier, can be a VSAT satellite network, which isinherently secure. The VPN peer of the gateway 309 communicates with theVPN server 315 over a secure tunnel that is independent from the VPNsegment between the host 301 and the terminal 305. The above segmentedapproach can be applied to multiple hosts 301, 331 (as shown in FIG. 11)in which multiple VPN connections can share one or more PEP connectionacross the access network 307 to communicate with the same intranet 319.Separate VPN connections are established between the access terminal 305and each host 301, 331. Also, a PEP connection and VPN connection areestablished between the access terminal 305 and the VPN server 315 andthe PEP gateway 317 on the other side of the access network 307. Trafficreceived from the hosts 301, 331 by the terminal 305 via the VPNconnections to the hosts 301, 331 is passed through the PEP function ofthe terminal 305 and then fed into the VPN connection to the VPN peer ofthe VPN server 315 on the other side of the access network 307.Subsequently, the decrypted traffic out of the VPN server 315 istransmitted to the PEP function of the PEP gateway 317.

On the VPN server side of the access network 307, the segmentation canalso be used, for example, to allow the access network 307 provided tohost the PEP function for cost and scalability reasons. This aspect ofan embodiment of the present invention provides great flexibility forsupporting configurations in which the integrated PEP and VPN cannot be,or is desirable to not be, “pushed out” to the very edge of the networkpaths (which are protected by VPN functionality).

The above concept can be extended to support any number of segments,allowing different or differently tuned and configured PEP functions tobe used for different parts of the secured path.

FIG. 12 is a diagram of the system of FIG. 3 in which the accessterminal has integrated VPN and PEP functionalities and is capable ofdynamically selecting PEP backbone connections, according to anembodiment of the present invention. As noted, the mapping of TCPconnections to a PEP peer can be performed by a routing table (shown as“R”). In this example, the terminal 305 maintains the routing table,which identifies the PEP peer's IP address and contains one or more IPaddress masks in such a way that a destination IP address of a TCPconnection matches one or more of the IP address masks. Accordingly, theTCP connection can be routed to the appropriate PEP peer. The routinginformation in this table may be either statically configured ordynamically created as PEP peers are “discovered,” and VPN tunnels andPEP backbone connections are created to the peers.

The routing within the terminal 305 is integrated such that there is oneVPN peer (e.g., VPN server 315 and Value-added VPN server 323) for eachVPN tunnel and the selection of the VPN tunnel implicitly selects thePEP peer (i.e., gateway 309, PEP gateway 317, and PEP peer in theValue-added VPN server 323). The integrated routing can either beconfigured completely or dynamically learned via PEP peer discovery(typically by the PEP backbone connection establishment) or by a routingprotocol. In this example, the client application in the host 301 cangenerate traffic that take a number of paths 1201, 1203, 1205, accordingto the needs of the application. In one scenario, the host 301 seeks tocommunicate with the server 313 (e.g., web server) within the Internet;in this case, the terminal 305 elects to route the traffic over the path1201 using only the PEP function, without the VPN function, based on therouting table. However, when the host being accessed is local to anintranet and only reachable via VPN, the terminal 305 can invoke its VPNpeer in support of communication with the servers 321, 327 within therespective intranets 319, 325 over the paths 1203 and 1205. Thecapability to select the particular PEP backbone connection allows theterminal 305 to both allow its hosts (e.g., 301) to reach hosts (e.g.,server 313) on the Internet 311 and to securely reach hosts (e.g.,servers 321, 327) within various intranets 319, 325.

FIG. 13 is a diagram of the system of FIG. 3 in which a host hasintegrated VPN and PEP functionalities, according to an embodiment ofthe present invention. For example, the host 301 includes a clientapplication 1301 above a TCP/IP stack 1303; further, a VPN driver 1305,which provides a PEP peer 1305 a and a VPN peer 1305 b. Also, the host301 utilizes LAN driver 1307 to interface with the local network 303.

The VPN driver 1305 executes the necessary protocols to create the VPNtunnels. These protocols include the following: Carrier protocol,Encapsulating protocol, and Passenger protocol. The carrier protocol isspecific to the network that is transporting the packets. TheEncapsulating protocol can include, for example, Generic RoutingEncapsulation (GRE), IPSec, PPTP, and L2TP. Lastly, the Passengerprotocol is the protocol of the data that is being transported, such asIP.

The above configuration supports both the PEP function and the VPNfunction within the VPN driver. However, in another embodiment of thepresent invention, the PEP function can be implemented as a separatedriver, as shown in FIG. 14.

FIG. 14 is a diagram of the system of FIG. 3 in which a host hasintegrated VPN and PEP functionalities with separate PEP and VPN driverbindings, according to an embodiment of the present invention. The host301, in this instance, includes a PEP driver 1401 that is separate froma VPN driver 1403. As with the system of FIG. 13, the host 301 has aclient application 1405, a TCP/IP stack 1407, and a LAN driver 1409.

According to another embodiment of the present invention, the host 301can be configured to selectively employ the PEP and VPN functions, asshown in FIG. 15.

FIG. 15 is a diagram of a packet flow in the system of FIG. 14,according to an embodiment of the present invention. The host 301includes two client applications 1405, 1411. The application 1411generates traffic that is destined to another host 1501 within the localnetwork 303; the traffic follows a path 1503, which bypasses the PEP andVPN functions, as such functions are not needed. However, if thefeatures of the PEP and VPN functions are needed, as in the case of theapplication 1405, then these functions can be obtained through path1505, which leads to the server 321 within the intranet 319.

FIG. 16 is a diagram of the system of FIG. 3 in which a host hasintegrated VPN and PEP functionalities and is capable of dynamicallyselecting PEP backbone connections, according to an embodiment of thepresent invention. In this implementation, the host 301 maintains arouting table for supporting the selection of PEP connections. Therouting operation between the PEP and VPN functions is similar to thatdetailed in FIG. 12. In this example, the client application 1405generates packets in which the TCP/IP stack 1407 can utilize the routingtable (“R”) to map TCP connections to PEP connections, and selectivelyestablish VPN tunnels. For example, if the application 1405 needs tocommunicate with the server 313 within the Internet 311, then thepackets traverse the path 1507, which is strictly PEPed traffic, withouttriggering establishment of a VPN tunnel.

However, in certain circumstances, the security features of VPN arerequired, as in the communications to the intranet servers 321, 327. Insuch instances, the traffic flows along the paths 1505, 1509.

As evident from the above discussion, the integration of PEP and VPNfunctionalities can enhance network performance, while ensuring a highlevel of security. Additionally, the present invention supports avariety of configurations within the network elements; this flexibilityadvantageously enhances network scalability, as the PEP and VPN peerscan be independently deployed in a number of network components.

V. Example Computing System

FIG. 17 illustrates a computer system 1700 upon which an embodimentaccording to the present invention can be implemented. The computersystem 1700 includes a bus 1701 or other communication mechanism forcommunicating information, and a processor 1703 coupled to the bus 1701for processing information. The computer system 1700 also includes mainmemory 1705, such as a random access memory (RAM) or other dynamicstorage device, coupled to the bus 1701 for storing information andinstructions to be executed by the processor 1703. Main memory 1705 canalso be used for storing temporary variables or other intermediateinformation during execution of instructions to be executed by theprocessor 1703. The computer system 1700 further includes a read onlymemory (ROM) 1707 or other static storage device coupled to the bus 1701for storing static information and instructions for the processor 1703.A storage device 1709, such as a magnetic disk or optical disk, isadditionally coupled to the bus 1701 for storing information andinstructions.

The computer system 1700 can be coupled via the bus 1701 to a display1711, such as a cathode ray tube (CRT), liquid crystal display, activematrix display, or plasma display, for displaying information to acomputer user. An input device 1713, such as a keyboard includingalphanumeric and other keys, is coupled to the bus 1701 forcommunicating information and command selections to the processor 1703.Another type of user input device is cursor control 1715, such as amouse, a trackball, or cursor direction keys for communicating directioninformation and command selections to the processor 1703 and forcontrolling cursor movement on the display 1711.

According to one embodiment of the invention, the integrated PEP and VPNfunction is provided by the computer system 1700 in response to theprocessor 1703 executing an arrangement of instructions contained inmain memory 1705. Such instructions can be read into main memory 1705from another computer-readable medium, such as the storage device 1709.Execution of the arrangement of instructions contained in main memory1705 causes the processor 1703 to perform the process steps describedherein. One or more processors in a multi-processing arrangement canalso be employed to execute the instructions contained in main memory1705. In alternative embodiments, hard-wired circuitry can be used inplace of or in combination with software instructions to implement theembodiment of the present invention. Thus, embodiments of the presentinvention are not limited to any specific combination of hardwarecircuitry and software.

The computer system 1700 also includes a communication interface 1717coupled to bus 1701. The communication interface 1717 provides a two-waydata communication coupling to a network link 1719 connected to a localnetwork 1721. For example, the communication interface 1717 can be adigital subscriber line (DSL) card or modem, an integrated servicesdigital network (ISDN) card, a cable modem, or a telephone modem toprovide a data communication connection to a corresponding type oftelephone line. As another example, communication interface 1717 can bea local area network (LAN) card (e.g. for Ethernet™ or an AsynchronousTransfer Model (ATM) network) to provide a data communication connectionto a compatible LAN. Wireless links can also be implemented. In any suchimplementation, communication interface 1717 sends and receiveselectrical, electromagnetic, or optical signals that carry digital datastreams representing various types of information. Further, thecommunication interface 1717 can include peripheral interface devices,such as a Universal Serial Bus (USB) interface, a PCMCIA (PersonalComputer Memory Card International Association) interface, etc.

The network link 1719 typically provides data communication through oneor more networks to other data devices. For example, the network link1719 can provide a connection through local network 1721 to a hostcomputer 1723, which has connectivity to a network 1725 (e.g., a widearea network (WAN) or the global packet data communication network nowcommonly referred to as the “Internet”) or to data equipment operated byservice provider. The local network 1721 and network 1725 both useelectrical, electromagnetic, or optical signals to convey informationand instructions. The signals through the various networks and thesignals on network link 1719 and through communication interface 1717,which communicate digital data with computer system 1700, are exampleforms of carrier waves bearing the information and instructions.Although a single interface 1717 is shown, it is recognized thatmultiple communication interfaces can be utilized, depending on theconnectivity desired.

The computer system 1700 can send messages and receive data, includingprogram code, through the network(s), network link 1719, andcommunication interface 1717. In the Internet example, a server (notshown) might transmit requested code belonging an application programfor implementing an embodiment of the present invention through thenetwork 1725, local network 1721 and communication interface 1717. Theprocessor 1703 can execute the transmitted code while being receivedand/or store the code in storage device 1709, or other non-volatilestorage for later execution. In this manner, computer system 1700 canobtain application code in the form of a carrier wave.

The term “computer-readable medium” as used herein refers to any mediumthat participates in providing instructions to the processor 1703 forexecution. Such a medium can take many forms, including but not limitedto non-volatile media, volatile media, and transmission media.Non-volatile media include, for example, optical or magnetic disks, suchas storage device 1709. Volatile media include dynamic memory, such asmain memory 1705. Transmission media include coaxial cables, copper wireand fiber optics, including the wires that comprise bus 1701.Transmission media can also take the form of acoustic, optical, orelectromagnetic waves, such as those generated during radio frequency(RF) and infrared (IR) data communications. Common forms ofcomputer-readable media include, for example, a floppy disk, a flexibledisk, hard disk, magnetic tape, any other magnetic medium, a CD-ROM,CDRW, DVD, any other optical medium, punch cards, paper tape, opticalmark sheets, any other physical medium with patterns of holes or otheroptically recognizable indicia, a RAM, a PROM, and EPROM, a FLASH-EPROM,any other memory chip or cartridge, a carrier wave, or any other mediumfrom which a computer can read.

Various forms of computer-readable media can be involved in providinginstructions to a processor for execution. For example, the instructionsfor carrying out at least part of the present invention can initially beborne on a magnetic disk of a remote computer. In such a scenario, theremote computer loads the instructions into main memory and sends theinstructions over a telephone line using a modem. A modem of a localcomputer system receives the data on the telephone line and uses aninfrared transmitter to convert the data to an infrared signal andtransmit the infrared signal to a portable computing device, such as apersonal digital assistant (PDA) and a laptop. An infrared detector onthe portable computing device receives the information and instructionsborne by the infrared signal and places the data on a bus. The busconveys the data to main memory, from which a processor retrieves andexecutes the instructions. The instructions received by main memory canoptionally be stored on storage device either before or after executionby processor.

Accordingly, an approach for integrating Virtual Private Network (VPN)and Performance Enhancing Proxying (PEP) in which a VPN tunnel can besegmented to selectively provide PEP functionality. PEP peers canestablish a PEP connection to support the PEP function for any portionof the VPN tunnel, particularly, the portion that traverses a highlatency network. This approach advantageously supports securecommunications, while enabling a service provider to implement the PEPfunction and VPN function independently throughout the network, therebyreducing costs and improving flexibility.

While the present invention has been described in connection with anumber of embodiments and implementations, the present invention is notso limited but covers various obvious modifications and equivalentarrangements, which fall within the purview of the appended claims.

What is claimed is:
 1. A method comprising: establishing, by a firstsecurity peer node of a first network site, a secure data tunnel fromthe first security peer node to a second security peer node of a secondnetwork site remote from the first network site via a plurality ofsecure segments across a data communications network; providing, by thefirst security peer node, a notification to a first performanceenhancing proxy (PEP) node of the first network site confirming theestablishment of the secure data tunnel; and establishing, by the firstPEP node, upon receipt of the notification from the first security peernode, a PEP connection between the first PEP node and a second PEP nodeof the second network site via the secure data tunnel, wherein thereceipt of the notification from the first security peer node confirmingthe establishment of the secure data tunnel triggers the establishing ofthe PEP connection by the first PEP node; and wherein the PEP connectionprovides a performance enhancing function, and wherein the performanceenhancing function multiplexes one or more data packet flows fortransmission over the PEP connection from the first network site to thesecond network site.
 2. The method according to claim 1, wherein theestablishment of the PEP connection via the secure data tunnelcomprises: determining that the data packet flows are to be carried viathe secure data tunnel; and establishing the PEP connection byperforming a connection startup process with the second PEP node andinitiating the performance enhancing function.
 3. The method accordingto claim 1, wherein the secure data tunnel consists of a virtual privatenetwork (VPN) tunnel formed by the plurality of secure segments acrossthe data communications network.
 4. The method according to claim 1,wherein at least one of the data packet flows is generated in accordancewith transmission control protocol (TCP)/Internet protocol (IP) datacommunications protocols.
 5. The method according to claim 1, whereinthe PEP connection comprises a plurality of data sub-paths, wherein eachdata sub-path corresponds to a different priority level configured tocarry data packets of the respective priority level, and wherein eachdata packet flow is assigned to a one of the sub-paths based on one ormore predetermined priority assignment rules.
 6. The method according toclaim 5, wherein the performance enhancing function includes one or moreof connection startup latency reduction, acknowledgment messagespoofing, window sizing adjustment, compression and selectiveretransmission.
 7. The method according to claim 5, wherein thepredetermined priority assignment rules are based on criteriacorresponding to the data packet flows, wherein the criteria compriseone or more of destination IP address, source IP address, source portnumber, destination port number, user datagram protocol (UDP) sourceport number, UDP destination port number, type of service (TOS), anddata type.
 8. An apparatus comprising: a first security peer node of afirst network site configured to establish a secure data tunnel from thefirst security peer node to a second security peer node of a secondnetwork site via a plurality of secure segments across a datacommunications network, wherein the second network site is locatedremote from the first network site; and a first performance enhancingproxy (PEP) node of the first network site configured to establish a PEPconnection between the first PEP node and a second PEP node of thesecond network site via the secure data tunnel; and wherein the PEPconnection provides a performance enhancing function, wherein theperformance enhancing function multiplexes one or more data packet flowsfor transmission over the PEP connection, and wherein the first securitypeer is further configured to provide a notification to the first PEPnode confirming the establishment of the secure data tunnel, and thereceipt of the notification from the first security peer node confirmingthe establishment of the secure data tunnel triggers the establishing ofthe PEP connection by the first PEP node.
 9. The apparatus according toclaim 8, wherein the performance enhancing function includes one or moreof connection startup latency reduction, acknowledgment messagespoofing, window sizing adjustment, compression and selectiveretransmission.
 10. The apparatus according to claim 8, wherein theestablishment of the PEP connection via the secure data tunnelcomprises: determining that the data packet flows are to be carried viathe secure data tunnel; and; establishing the PEP connection byperforming a connection startup process with the second PEP node andinitiating the performance enhancing function.
 11. The apparatusaccording to claim 8, wherein the secure data tunnel consists of avirtual private network (VPN) tunnel formed by the plurality of securesegments across the data communications network.
 12. The apparatusaccording to claim 8, wherein at least one of the data packet flows isgenerated in accordance with transmission control protocol (TCP) /Internet protocol (IP) data communications protocols.
 13. The apparatusaccording to claim 8, wherein the PEP connection comprises a pluralityof data sub-paths, wherein each data sub-path corresponds to a differentpriority level configured to carry data packets of the respectivepriority level, and wherein each data packet flow is assigned to a oneof the sub-paths based on one or more predetermined priority assignmentrules.
 14. The apparatus according to claim 13, wherein thepredetermined priority assignment rules are based on criteriacorresponding to the data packet flows, wherein the criteria compriseone or more of destination IP address, source IP address, source portnumber, destination port number, user datagram protocol (UDP) sourceport number, UDP destination port number, type of service (TOS), anddata type.
 15. The apparatus according to claim 8, wherein, upon receiptof a notification of a failure of one or more of the plurality of securesegments that inhibits the data packet flows over the PEP connection,the first PEP node is configured to terminate the PEP connection. 16.The apparatus according to claim 15, wherein, upon an initiation of anew data packet flow to be carried over the secure data tunnel, thefirst PEP node is configured to determine whether the performanceenhancing function should be applied to the new packet data flow, andwherein (i) in an event that the first PEP node determines that theperformance enhancing function should be applied to the new packet dataflow, the first PEP node is configured to establish a new PEP connectionbetween the first PEP node and the second PEP node via the secure datatunnel for transmitting the new data packet flow over the new PEPconnection subject to the performance enhancing function, and (ii) in anevent that the first PEP node determines that the performance enhancingfunction should not be applied to the new packet data flow, the firstPEP node is configured to allow the new packet data flow to functionwithout application of the performance enhancing function.
 17. Themethod according to claim 1, wherein, upon receipt by the first PEP nodeof a notification of a failure of one or more of the plurality of securesegments that inhibits the data packet flows over the PEP connection,the method further comprises terminating the PEP connection.
 18. Themethod according to claim 17, wherein, upon an initiation of a new datapacket flow to be carried over the secure data tunnel, the methodfurther comprises: determining, by the first PEP node, whether theperformance enhancing function should be applied to the new packet dataflow; and wherein, in an event that the first PEP node determines thatthe performance enhancing function should be applied to the new packetdata flow, the method further comprises establishing, by the first PEPnode, a new PEP connection between the first PEP node and the second PEPnode via the secure data tunnel for transmitting the new data packetflow over the new PEP connection subject to the performance enhancingfunction; and wherein in an event that the first PEP node determinesthat the performance enhancing function should not be applied to the newpacket data flow, the method further comprises allowing the new packetdata flow to function without application of the performance enhancingfunction.
 19. The apparatus according to claim 8, wherein, upon receiptof a notification of a failure of one or more of the plurality of securesegments that inhibits the data packet flows over the PEP connection,the first PEP node is further configured to terminate any protocol dataconnections facilitating the packet data flows being carried by the PEPconnection.
 20. The method according to claim 1, wherein, upon receiptby the first PEP node of a notification of a failure of one or more ofthe plurality of secure segments that inhibits the data packet flowsover the PEP connection, the method further comprises terminating anyprotocol data connections facilitating the packet data flows beingcarried by the PEP connection.